Hi Antonie and Bastien, On Tue, Dec 20, 2016 at 02:58:21PM -0500, Antoine Beaupré wrote: > Hi secteam, > > I believe the fix for bug#845196 shipped with DSA-3726-1 is incomplete, > at least in stable. It does ship with this patch: > > https://github.com/ImageMagick/ImageMagick/commit/1be809ae06f2fcb094836960edb707f81422e964 > > but not this one: > > https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7 > > so it is missing one fputc check in convert. > > On 2016-12-20 13:34:03, Bastien Roucaries wrote: > > Please reopen and.notify sécurity team > > The bug report is actually still opened in stable, according to the BTS, > so I don't believe a change is required there. I have removed the fixed > marker from the security tracker and added a relevant note.
So for reference, CVEs were assigned for those. Actually as well one more for the "fwrite issue in ReadGROUP4Image", we should fill that as separate bugreport. CVE assignment: http://www.openwall.com/lists/oss-security/2016/12/26/9 > > Check return of write function > > ============================== > > > > Debian bug: https://bugs.debian.org/845196 > > Reference URL: https://security-tracker.debian.org/845196 > > Upstream commit: > > - > > https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7 > > - > > https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9 > > Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196 > > Upstream version fixed: 7.0.1-10 > > > > The above fixes may be incomplete, according to the upstream issue. In > > addition, the -6 branch seems to have an incomplete fix as well. > > Use CVE-2016-10060 for the issue fixed in > 933e96f01a8c889c7bf5ffd30020e86a02a046e7. > Use CVE-2016-10061 for the issue fixed in > 4e914bbe371433f0590cefdf3bd5f3a5710069f9. > > Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was > specifically noted at the beginning of issues/196, but not fixed in > either of these commits. It is not the same as the fputc issue in > ReadGROUP4Image. Regards, Salvatore